1. Field of the Invention
The present invention relates to a method, system, and program for securely providing keys to encrypt and decrypt data in a storage cartridge.
2. Description of the Related Art
Protecting and securing data is a primary concern that must be addressed when designing information management systems, whether for a single user, small business, or for large corporations or government agencies. It is common for data to be continually archived on various storage media, such as tape cartridges or optical disks. When archiving data on tape or other removable storage medium, one security concern is that the tape will be lost or stolen and that someone will attempt to access the data it contains. Also, if the tape can be mounted into a tape drive through remote commands transmitted over a network, then there is a concern that someone may “hack” into the system, mount the tape or other storage medium in a drive, and then access the data.
Prior approaches to addressing these issues include encrypting all or most of the data on the storage media, but each of these have inherent drawbacks including security weaknesses, implementation challenges and/or unwieldy complexity. For example, conventional solutions that store encrypted data on a tape together with the data key used to encrypt the data in wrapped form allow anyone having physical access to the tape to retrieve the data key from the tape in wrapped form, and if they can unwrap the data key, use it to decrypt the data. Alternatively, data keys can be stored on the tape drive, but key management becomes complicated when using multiple tape drives, as each tape drive has to be able to store all keys that are in use by all tape cartridges in the tape storage library. Storing data keys on the tape drive also creates issues if the drive fails or is stolen. For example, if only one drive is in use and it fails, then the keys need to have been stored somewhere (e.g. on the tape cartridge or in a key manager) so they can be loaded into the replacement tape drive before the encrypted tape cartridges can be processed. If multiple tape drives are in use and one of them is stolen, it could be compromised and the keys it contains recovered, allowing all of the encrypted tape cartridges in the tape storage library to be read.
In addition, use of a single key to encrypt all of the data on one or more tape cartridges allows whoever has use of the key to decrypt all of the data comprising the tape cartridge, including data that doesn't belong to the user. Furthermore, use of a single encryption key does not allow a control entity to restrict a predetermined party's access to their data when it is commingled on a shared tape cartridge with encrypted data belonging to other parties. Conversely, using multiple keys for one or more cartridges can lead to a proliferation of keys as the number of authorized users, tape drives, and tape cartridges grows. Conventional encryption systems might also maintain the encryption and decryption keys external to the tape drive, and the management and transfer of large numbers of such encryption keys can cause significant performance degradation. Other data encryption approaches require special drive hardware to encrypt and decrypt tape data using an externally-stored encryption key (e.g. the key is stored on the host system and not the tape cartridge), creating other key management issues.